Brexit and the Gibraltar GDPR, New Data Privacy Law

Brexit and the Gibraltar GDPR, New Data Privacy Law

The Gibraltar Data Protection Regulation or the Gibraltar GDPR for short is a data privacy law that was recently passed in the British Overseas Territory of Gibraltar in 2021. As the United Kingdom withdrew from the European Union on January 31, 2020, the country no longer fell under the jurisdiction of the EU’s GDPR law. As such, The United Kingdom enacted the UK General Data Protection Regulation or the UK GDPR law for short on January 1, 2021, for the purposes of regulating data processing activities within the country. However, as the UK GDPR law was not applicable within Gibraltar, the Gibraltar GDPR was passed for the purposes of regulating the collection and processing of personal data within the territory.

How are data controllers and processors defined under the Gibraltar GDPR?

Under the Gibraltar GDPR, a data controller is defined as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” Conversely, the law defines a data processor as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” Moreover, the law defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

What are the requirements of data controllers and processors under the Gibraltar GDPR?

Under the Gibraltar GDPR, data controllers and processors operating with the territory are required to adhere to the same data protection principles that were established by the EU’s GDPR law. These data protection principles include:

  • Lawfulness fairness and transparency.
  • Purpose limitation.
  • Data minimization.
  • Accuracy.
  • Storage limitation.
  • Integrity and confidentiality.
  • Accountability.

Furthermore, as it concerns the lawfulness of data collection and processing, the Gibraltar GDPR also remains largely unchanged when compared to the EU’s GDPR law. Under the Gibraltar GDPR, the collection and processing of personal data may only be lawful if and to the extent that at least one of various principles applies. Such principles include instances in which a data subject has given their consent as it relates to the processing of their personal data for one more specific purpose, instances in which “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”, and instances where processing is necessary for compliance in regards to a legal obligation to which a data controller is subject, among others.

What are the rights of Gibraltarian citizens under the Gibraltar GDPR?

Under the Gibraltar GDPR, Gibraltarian citizens have virtually the same rights as other citizens residing within EU member states have under the EU’s GDPR law. These rights include:

  • The right to be informed.
  • The right to access.
  • The right to rectification.
  • The right to erasure.
  • The right to the restriction of data processing.
  • The right to object or opt-out.
  • The right to data portability.
  • The right not to be subject to automated decision-making.

In terms of the enforcement of the Gibraltar GDPR, the law is enforced by the Gibraltar Regulatory Authority, or the GRA for short. To this point, the GRA has the authority to impose a number of penalties and fines against data controllers and processors who fail to comply with the provisions set forth in the law. Such sanctions include “administrative fines up to £8,700,000 ($11,810,380), or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher”, as well as “administrative fines up to £17,500,000 ($23,756,512), or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.”Additionally, Gibraltarians have the right to receive compensation from a data controller or processor for any damages they may have incurred as a result of violations of the law.

As Brexit led to a variety of political and legal complications both within the United Kindom and the nation’s various territories, new legislation was needed to protect the personal data of Gibraltarian citizens. This legislation took the form of the Gibraltar GDPR law, as the law effectively implements many of the provisions of the EU’s GDPR law into Gibraltarian law. To this end, the Data Protection (Bailiwick of Guernsey) Law, 2017, the UK’s GDPR law, and the Gibraltar GDPR represent the three foremost ways in which personal data is legally protected within both the United Kingdom and its various overseas jurisdictions and territories. More importantly, however, these laws provide citizens residing in these various areas with a means to receive both justice and compensation should any of their data privacy rights be infringed upon for any reason.